An ongoing malware campaign has targeted WhatsApp users in many countries with deceptive messages that push VBScript files, leading to remote system penetration.
The threat actor uses filenames that show business and financial documents submitted by the victim’s contacts, whose accounts have been compromised.
By downloading and running the malicious attachment, the recipient starts an infection chain that leads to installing the legitimate ManageEngine Endpoint Central, which is used by IT administrators to manage systems from a central dashboard.
Telemetry data from cybersecurity company Kaspersky shows that the campaign has spread to Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.
Attack chain
Kaspersky reports that the attack begins with messages sent from compromised accounts that contain nothing but a heavily disguised VBS file.
These files are given names that make them appear to be financial reports, payment statements, account statements, and similar documents that may attract the target’s attention and prompt them to open the file.
Filenames have also been localized in multiple languages, further ensuring the global reach of the campaign.
Source: Kaspersky
“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that a malicious actor gained access to several WhatsApp accounts and used them to distribute malicious VBScript files to contacts in the contact list of vulnerable users,” Kaspersky explained.
“At the time of writing, the exact method used to compromise these WhatsApp accounts is unknown.”
When the victim downloads and opens the file in Windows, VBScript downloads two additional scripts to the attacker’s infrastructure, which, in turn, disables UAC protection by modifying the Registry and downloads a ZIP archive containing the ManageEngine Endpoint Central program.
Source: Kaspersky
The software is silently installed in the background and configured to connect to the attacker’s controlled administration servers, giving them remote control access to the victim’s computer.
Kaspersky notes that when the first VBScript file is delivered via WhatsApp Web, it must be downloaded, but when it is opened in the WhatsApp Desktop client, it can be executed directly via Windows Script Host (wscript.exe).
Source: Kaspersky
Although Kaspersky did not attribute the attack to a specific threat actor, researchers found signs of Chinese language use and infrastructure that overlapped with IPs previously associated with ValleyRAT and Gh0st RAT activity.
However, there is not enough evidence that a high confidence grant has occurred.
WhatsApp users are advised to handle files sent by contacts, even trusted ones, with caution and always verify them with secondary means.
All downloaded files should be scanned with the latest antivirus before using them.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
